Is it possible to successfully send a spoofed UDP header with a completely unrelated source IP?

Question

I've read that many networks use ingress/egress filtering to eliminate the number of spoofed UDP packets sent and received by their network.

Given that network provides have been much more diligent in restricting the amount of spoofed UDP packets sent and received by their networks, is it possible to send a UDP packet with a spoofed header that is drastically different than it's actual IP address?

Besides blocking spoofed packets from leaving their networks, in which other ways can network providers ensure that they are not passing along or sending spoofed UDP packets?

Answer 1

1. It is possible to spoof IP addresses. The issue is always the underlying protocol. For TCP/IP, you're almost out of luck unless you don't proceed with a full handshake. For UDP however, if you don't care about a response and aren't trying to build fault tolerance, you can use it.

2. There are several ways routers can stop IP address spoofing. The main ways for Cisco routers are:

LAN

Involve any solution that attempts to minimize asymmetric routing, e.g. Spanning tree protocol STP. Naturally a spoofed UDP packet won't have a symmetric route. The only problem is that the directed graph issue would entail a subset of nodes in the routing to support STP. Also, UDP may not be affected.

WAN

RFC 1812 addresses your concern. Note the fact that there are a lot of asymmetric routes on the internet, so it becomes a harder task. The above RFC was referenced here:

"We considered suggesting routers also validate the source IP address of the sender as suggested in 8, but that methodology will not operate well in the real networks out there today. The method suggested is to look up source addresses to see that the return path to that address would flow out the same interface as the packet arrived upon. With the number of asymmetric routes in the Internet, this would clearly be problematic."